8thString

 Got the error below while trying to update Windows 10 (1607).  There were some problems installing updates, but we'll try again later. If you keep seeing this and want to search the web or contact support for information, this may help: (0x8024000e) This can be caused by low memory condition for example if you only have 4GB. As a workaround enable automatic virtual memory management  (Automatically manage paging file size for all drives), see below.   This can also be caused by corrupted distribution files, fix by doing the following: c:\> net stop wuauserv c:\> net stop cryptSvc c:\> net stop bits c:\> net stop msiserver c:\> Ren C:\Windows\SoftwareDistribution SoftwareDistribution.old c:\> Ren C:\Windows\System32\catroot2 Catroot2.old c:\> net start wuauserv c:\> net start cryptSvc c:\> net start bits c:\> net start msiserver

Log ping output with a timestamp to a file. This will create a new log file every hour. @ echo   off SETLOCAL   EnableDelayedExpansion REM  set /p host=host Address:  set   host =% 1 echo  Host target :  %host% : Ping for  /F  "tokens=* skip=2"   %% A in ('ping  %host%  -n  1  ') do (        REM  Get the hour      SET   X = %time:~ 0 , 2 %      REM  Remove space      SET   " X = !X:   =! "      REM  Pad with zero      SET   PADDED =0 !X!      REM  Get the last 2 chars      SET   PADDED = !PADDED:~ -2 !      REM  Get the expanded value      SET   CURVAL = !PADDED!      SET   logfile =log_ !date:~ 10 , 4 ! - !date:~ 4 , 2 ! - !date:~ 7 , 2 ! _ !CURVAL! .log      echo   %date%   %time:~ 0 , 2 % : %time:~ 3 , 2 % : %time:~ 6 , 2 %   %% A>> !logfile!      echo   %date%   %time:~ 0 , 2 % : %time:~ 3 , 2 % : %time:~ 6 , 2 %   %% A      timeout   1  > NUL        rem  GOTO END      GOTO   Ping ) : END Reference: https://stackoverflow.com/questions/24906268/p

Convert binary performance (perfmon) data to CSV: c:\> relog logfile.blg -f csv -o logfile.csv References: https://community.microfocus.com/t5/Silk-Performer-Knowledge-Base/How-can-I-convert-a-Windows-Performance-Monitor-file-from-blg-to/ta-p/1743393

I was pinging from Windows 2012 R2 machine to a Windows 2016. Both are multi-homed boxes, Windows 2012 R2 have 3 NIC cards, Windows 2016 got 4.  Windows will try to figure out the best interface to use by determining the quality of network connection - which eventually shows up as the metrics of the interface. The lower the metric number the higher the order of preference.  In one case, I had 2 network interfaces on flat network (no routing) and one interface that is routed but has the lowest metric. The issue was that that one network thinks it has the IP of the given NetBIOS name but was actually pointing to wrong IP, it seems like one of the routers have cached the IP incorrectly. Tracing where it was cached is not easy specially so if you don't have control of the network.  Anyway, since the box actually have 3 direct connections to the other unit and it refuses to use the other network interfaces, the best option was to modify hosts file (C:\Windows\System32\drivers\etc\hosts)

Issue KB4516065, 2019-09 Security Monthly Quality Rollup for Windows Server 2008 R2 for x64-based Systems (KB4516065), fails to install on a newly created VM (did this around 09/2020). Solution : Install 2019-03 Servicing Stack Update for Windows Server 2008 R2 for x64-based Systems (KB4490628), windows6.1-kb4490628-x64_d3de52d6987f7c8bdc2c015dca69eac96047c76e.msu. Use this link to download from Windows Catalog - http://www.catalog.update.microsoft.com/Search.aspx?q=KB4490628

Yes, I am still using Windows 2008 SP2, silly me.  Anyway, I tried to activate Windows 2008 SP2 recently (August 2020) but failed with the following error message: --------------------------- Error Details --------------------------- The following information was found for this error: Code: 0x80072F8F Description: A security error occurred --------------------------- OK --------------------------- Not very useful, eh? Anyway, to fix this install  SHA-2 code signing support update for Windows Server 2008 R2, Windows 7, and Windows Server 2008: September 23, 2019 ( link ). Essentially, download  windows6.0-kb4474419-v4-x86_fd568cb47870cd8ed5ba10e1dd3c49061894030e.msu , install, reboot. Licensing should work after this. Note that this is also applicable to Windows Server 2008 R2 in which case you have to use windows6.1-kb4474419-v3-x64_b5614c6cea5cb4e198717789633dca16308ef79c.msu.

How to fix The WS-Management service cannot process the request. The service is configured to not accept any remote shell requests I was trying to add Remote Desktop Licensing role to a server but it failed with WS-Management service cannot process the request. The service is configured to not accept any remote shell requests.   One potential reason for the failure is because the Allow Remote Shell Access is disabled in local or domain policy. Start looking that the local policy by running gpedit.msc and navigate to Computer Configuration | Administrative Templates | Windows Components | Windows Remote Shell . Inside Windows Remote Shell look for Allow Remote Shell Access , ensure this is set to Enabled or Not Configured .  If it is Not Configured in the local policy and adding the role is failing then it must be set from the domain policy. To edit domain policy, login to the Active Directory server and run gpmc.msc and edit either Default Domain Policy or Default Domain Control

How to determine when was the last time the machine was rebooted from exported System Windows Event log Exported System Windows Event log provides a ton of useful information for digital forensics. One useful information that might be of importance is knowing when was the last time that the machine was (re)started.  To find when it was last (re)started, sort on the Date and Time column and then look for Source is Kernel-General and EventID is 12 , see below for reference. REF:3

Using Microsoft Log Parser for analysing log files Date: 8/23/2020 Log parser is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows® operating system such as the Event Log, the Registry, the file system, and Active Directory®. The application has not been updated since April 20, 2005 but it is still quite useful for analyzing log files. See link below for the download location https://www.microsoft.com/en-us/download/details.aspx?id=24659 Example queries Show me the latest 10 reboots of the local machine.  logparser "SELECT TOP 10 * FROM System WHERE (EventID = 12) AND (SourceName = 'Microsoft-Windows-Kernel-General') ORDER BY RecordNumber DESC" -i:EVT Show me the latest 10 reboots of the local machine and save the result to a reboot.csv logparser "SELECT TOP 10 * INTO C:/X/reboot.csv FROM System WHERE (EventID = 12) AND (SourceName = 'Micro

Loading exported Windows Event log using Event Viewer application will display the time based on local time. To determine the timezone of the log file look for Event ID 6013 from source/provider EventLog on the seventh data element, see below for reference. Another thing to note is that you have to consider daylight savings time (DST). In the above example, the timezone is 360 Central Standard Time or UTC-6 but due to DST, instead of adding 360 minutes to the stored time, you have to use 300 or UTC-5.  REF:1

Running a task when a specific event is logged in Windows Event Log can be very useful when monitoring critical events. For example, you can run a task that sends out an email when an event is logged related to network interface is down. Of course, this will only be useful if the machine is multi-homed. Anyway, hopefully you get the idea.  Scenario: Run a task when a message “Hello world” is logged to 8thstring log location and the source is 8thsource . It might make sense to see this blog for reference.  Steps: Open Task Scheduler ( taskschd.msc /s ) Create a task Name it like TestRunTask Under Triggers tab, select New... In the New Trigger window, select On an event for Begin the task , then select Custom and finally click on New Event Filter... In the New Event Filter window, select XML tab then enable Edit query manually You can use the XML fragment below as reference < QueryList >   < Query Id = "0" Path = "8thstring" >     < Select Path

Quick one liner to get Windows BIOS serial number. wmic bios get serialnumber | clip This only works for Windows operating system. Clip only works with Vista or later versions. Note that the output contains the string "SerialNumber" and the tag.

Using elevated command prompt, run: c:\> reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f This will also disable "User Account Control: Turn on Admin Approval Mode." Reference(s) https://www.top-password.com/blog/tag/disable-uac-from-command-line/

To open system level(common) startup location using Run dialog (WinKey+r), type: shell:common startup To open current user's startup location: shell:startup or from the command line (cmd.exe) do: explorer.exe shell:common startup Reference(s): http://8thstring.blogspot.com/2013/08/open-all-users-start-up-folder-in.html http://www.winhelponline.com/blog/shell-commands-to-access-the-special-folders/ http://www.osattack.com/windows-7/huge-list-of-windows-7-shell-commands/ http://support.microsoft.com/kb/2806079

Ctrl+Alt+Arrow [Up|Down|Left|Right]

c:\> nltest /dclist:myad.test.local This will return list of domain controllers for myad.test.local domain.

c:\> nltest /dcname:myad Note using myad(NetBios) instead of FQDN.

c:\> netdom query /domain:myad.test.local fsmo This can be used to get the PDC (Primary Domain Controller) emulator on AD environments. Links: http://serverfault.com/questions/174745/what-is-reliable-way-of-getting-name-of-primary-domain-controller

Using Run dialog (WinKey+r), type: shell:common startup or from the command line (cmd.exe) do: explorer.exe shell:common startup Reference(s): http://www.winhelponline.com/blog/shell-commands-to-access-the-special-folders/ http://www.osattack.com/windows-7/huge-list-of-windows-7-shell-commands/ http://support.microsoft.com/kb/2806079

Delete all files in C:\temp which was older than 04/14/2013. c:\temp> forfiles /D -04/13/2013 -c "cmd /c rmdir /s /q @file"